North Korea’s recent ballistic missile and nuclear tests, coupled with increased anti-America propaganda, has geopolitical and intelligence analysts across the world frantically assessing the likelihood of an attack on one of the many Pacific-based U.S. territories or key international allies. While it is puzzling how the isolated island of North Korea (DPRK) managed to make quantum leaps in weapons development, we decided to look into what they have been up to on the darknet and what sort of an information security threat they pose.

A country without the internet….

The vast majority of North Koreans have never actually seen the world wide web, or surface net. DPRK has partitioned its internet into two parts: an outward-facing internet connection and a regime-controlled intranet. The outward-facing connection is strictly limited to a select few and is closely monitored. Bearing in mind that only a privileged 28% of citizens even have electricity, the common citizen would have to visit a library or educational facility, to access the regime-controlled intranet, called Kwangmyong (roughly translated as “bright”). This network originated in the early 2000s as a completely closed intranet system, operating via fiber optic cable.

North Korea at night shows Pyongyang as the primary source of electricity, while the rest of the country only receives electricity a few hours a day, if at all.

North Korean IP address registration

In late 2009, Star Joint Venture, a state-run, joint DPRK-Thailand company, became responsible for the outward-facing internet IP address allocation. Soon after, in 2010, Star Joint Venture launched “modern internet services” to users hand selected by North Korea's leadership. Most of the sites, with a top domain using .kp addresses, also route through China’s Unicom network (210.52.109.0/24); examples include state-sponsored news agencies and international propaganda outlets. These sites tend to regurgitate government-approved content and consist primarily of coverage of the “Great Leader’s” activities across the country. The total registered number of websites is around 28, and the North Korean IP address space includes the 175.45.176.0 – 175.45.179.255 block, with less than 100 domain names allocated to a handful of IPs.

Analysts closely monitoring the IPs of North Korean origin and basic network scanners have also revealed that the country has a preference for Apache web servers and Linux-based operating systems. Under the rule of the youngest DPRK dictator, Kim Jung Un, the North Koreans debuted their own state-developed, operating system, RedStar OS. Version 3.0 was leaked in 2014 and available for download outside of the country. RedStar OS has striking resemblance to Apple’s OS-X, including (inaccessible) links to apple.com in its help pages. The built-in web browser, Naenara, also has an outward-facing internet site, www.naenara.com.kp, featuring more DPRK news and propaganda, updated in late 2016.

DPRK's Naenara web-portal and...

...operating system RedStar OS

Cyber Capabilities

Despite the country’s limited internet connectivity, the U.S. has assessed with high confidence that DPRK has invested in national cyber capabilities due to its relatively low cost and the low risk of reprisal attack. According to a prominent defector and former computer science professor in Pyongyang, there is a “pyramid-like prodigy recruiting system” that plucks bright students for the regime’s “cyberwarrior” program. Children as young as 12 allegedly train for years, with stints in Russia or China for cyber warfare master classes, before joining the ominously named “Bureau 121” hacker squad in Pyongyang. Global intelligence shows the agency has nearly 2,000 computer network specialists and feeds the elite “Unit 180” which most recently is believed to be responsible for the latest surge in attacks against financial institutions.

North Korea's Cyber Army Recruits and Trains Children

This special unit carried out complex cyber criminal operations, like the Bangladesh Bank heist, in attempts to raise capital by breaching and withdrawing funds from institutions to feed back into the DPRK military budget. Pyongyang was also suspected in attacks on banks in the Philippines, Vietnam, and Poland in 2016 alone. The total number of active members of Unit 180 is unknown but likely upwards of 5,000 distributed across Asia, with larger cells embedded in China and Malaysia. This allows DPRK to cover the origins of their attacks by using the communication technology infrastructure of other countries.

Tools in the DPRK Cyber Arsenal

The 2014 Sony hack, led by the now infamous "Lazarus" group, gave us a glimpse into the level of coordination and sophistication of DPRK sponsored-hackers. Since Lazarus, several other groups have emerged, been identified, and named by either U.S. intelligence officials or advanced malware research groups, like Kapersky:

Earlier this summer, the U.S. Computer Emergency Readiness Team (CERT) released a joint technical alert (TA17-164A) on the indicators for a vicious malware, dubbed DeltaCharlie, used for the management of North Korea’s distributed denial-of-service (DDoS) botnet infrastructure. The malware variant was authored by a group known as "HIDDEN COBRA." In addition to DDoS botnets, HIDDEN COBRA has other exploitation toolkits such as keyloggers, remote access tools (RATs), and wiper malware; variants include Destover, Wild Positron/Duuzer, and Hangman.

In 2013, DPRK’s internet and communication infrastructure was crippled when 50,000 systems, two major television stations, and three major Korean banks were taken offline in what became known as the "DarkSeoul attacks." The hacking team, "WhoIs," was suspected, redirecting users of compromised computers to a ghoulish image of a skeleton. Based on language and coding similarities, malware analysts later determined that WhoIs, Guardians of Peace, and NewRomanic Cyber Army Team were likely all actually the same group.

Analysts from the Congressional Research Service, reported that the globally affecting and rapidly spreading ransomware, WannaCry, that earlier this year broke 300,000 computers across 150 countries, including causing the shut down a significant portion of the NHS in the UK, is likely also of North Korean origin. It is believed that a splinter group of Lazarus exploited and reused code used by NSA’s ShadowBrokers that were leaked online. https://fas.org/sgp/crs/row/R44912.pdf

North Korea on the Darknet

Metrics from torproject.org linked to DPRK

Past hacking or malware distribution attribution to DPRK has occurred due to the inadvertent illusion of having an IP address within the North Korean 175.45 block. While DPRK is clearly aware of the Tor Project and the darknet itself, their use of it appears minimal compared to other oppressed nations, with usage ranging from ~25-100 relays, with all use likely limited to elite cyber operations and intelligence gathering/collection, because the consequence of a non-State affiliated citizen’s use of Tor would result in execution, or worse. Tor use in DPRK has declined over the last year.

Using our darknet big data, our analysts can see that there are almost 200 hidden services available in Korean. Given the nearly 5,000+ users regularly using relays in South Korea, these services are most likely hosted on the southern end of the peninsula, e.g. 70% of these are mirrors for The Hidden Wiki Korea.

Darknet Marketplace Activity

There are two Korean market sites currently active, Eastern Front and Star, but it’s not clear whether these are South or North Korean origin as both require restricted, authenticated login or referral code for access.

Eastern Front market in Korean on the darknet (http://h2ubt3eodqfpzycc.onion)

Methamphetamine offered on the darknet market, DreamMarket

DPRK is currently experiencing a large drug epidemic, with latest estimates pinning ~30% of North Koreans as crystal methamphetamine users. The country has been an extraordinary supplier for decades, producing and exporting much of the world’s crystal meth and MDMA through China. Rumors on Reddit suggest that the regime is active on darknet drug markets; however, there are no known DPRK vendors on the most active markets, Trade Route and DreamMarket. There are, however, a handful of darknet market vendors based in China offering components for drug production and chemical cutting agents that boost the effects of MDMA, opium, and methamphetamines. These could potentially be supplied by DPRK sources.

Torrent Activity

One of The Pirate Bay's photoshopped images

In 2013, DPRK allegedly offered owners of The Pirate Bay (thepiratebay.org) use of their network as "The Great Leader" was a fan of the well-known torrent site. The Swedish founders of The Pirate Bay played a hoax in which they said they had teamed up with the "Hermit Kingdom" and found refuge for their site, forged their traceroute signature to momentarily relay an IP from the North Korean block, and posted photoshopped images to social media.

Despite the North Korean-Pirate collaboration fantasy, the North Korean leadership has been known to frequent TorrentFreak and download everything from network monitoring software to episodes of How I Met Your Mother.

We can see from the above analysis that despite an oppressed citizenship, suffering from not only a drug epidemic but severely limited access to basic infrastructure and technology, North Korea participates in extensive cyber activity, from sponsoring various hacking groups and attacks to involvement in the drug trade both on the traditional black markets and on darknet marketplaces.

Stay tuned for further research and technical analysis as we continue to monitor North Korea's activity on the darknet.

Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.